Unencrypted laptop stolen from children's hospital employee
|
Date Reported:
5/28/10
Organization:
Cincinnati Children's Hospital Medical Center
Contractor/Consultant/Branch:
None
Location:
Cincinnati, Ohio
Victims:
Patients
Number Affected:
61,027
Types of Data:
"personal information, including names, medical record numbers, and services received"
Breach Description:
"The theft of an unencrypted laptop from an employee's car resulted in a breach affecting more than 61,000 patients at Cincinnati Children's Hospital Medical Center. "
Reference URL:
Cincinnati Children's Hospital Medical Center News Release
Enquirer Media
GovInfoSecurity.com
Report Credit:
Cincinnati Children's Hospital Medical Center
Response:
From the online sources cited above:
A password-protected laptop computer containing information regarding 61,027 Cincinnati Children’s Hospital Medical Center patients from multiple states and several foreign countries has been stolen.
[Evan] Why even mention "password-protected"? Bypassing authentication on a laptop protected with an operating system password is trivial, and doesn't offer any real assurance that the data is safe. It almost seems misleading to mention password protection.
There has been no indication the information has been misused.
Cincinnati Children’s is notifying each of the patients or their guardians by letters mailed May 28, 2010 and offering them free identity theft protection services.
[Evan] The organization is offering "identity theft protection services" for one year. This breach potentially exposes medical information belonging to children. Does one year of "identity theft protection services" seem adequate?
The theft occurred from an employee’s vehicle parked at his residence sometime between March 27 and 29, 2010. It was reported to the Cincinnati Police.
[Evan] Seriously!? Where is the common sense? Not so common I guess.
Upon thorough investigation by the medical center, and third-party validation, Cincinnati Children’s concluded that the information on the laptop included some personal information, including names, medical record numbers, and services received.
There were no social security numbers, telephone numbers or credit card information on the computer.
[Evan] I am much more concerned about lost medical information than I am about SSNs, telephone numbers, or credit card numbers.
The information on the laptop was password protected, but it was not encrypted.
Since this event, Cincinnati Children's has strengthened its encryption practices to ensure no PC laptop computers are issued unless the encryption process is initiated.
[Evan] This is good reactive information security. I read somewhere that reactive information security is as much as 7x more expensive that good proactive information security.
Additionally, it has improved its process for tracking the encryption of these laptops.
Finally, it is committed to communicating safe electronic practices across the institution and rolling out updated training on securing and protecting patient information to all employees.
[Evan] Hopefully on an ongoing basis, and not a one-time shot.
“Cincinnati Children’s is committed to providing the highest level of care for its patients and their families and that includes protecting personal information,” Michael Fisher, president and CEO, wrote in the notification letter.
[Evan] I do have one nice thing to say; it is nice to see the CEO of the organization address the breach publicly. CEO's and corporate leaders should be encouraged to address information security matters directly, at least at a high level. After all, the final say and responsibility for information security rests with organizational leaders.
The notification of the families, the federal department of Health and Human Services, the general public through a news release and posting on the hospital’s Web site are made pursuant to the Health Information Technology for Economic and Clinical Health Act approved in 2009.
It was appropriate for the employee to have the laptop outside the work setting, Feuer said. (hospital spokesman Jim Feuer)
[Evan] Meaning that he/she was authorized to use this laptop outside of the organization's facility. It was NOT appropriate to leave the laptop unattended in plain sight, in a vehicle, with sensitive information stored on the hard drive, without encryption.
"We need to and are doing a better job of strengthening our encryption practices," he said.
[Evan] Among other things, I assure you.
Commentary:
How many unencrypted lost or stolen laptops have we read about over the years? It is very well known now, and it has been for years, that using laptops without proper encryption is risky. Is there any valid excuse? Every time I read about a new breach like this one, I grow more critical in my comments. These breaches are so easily prevented it's silly. The fact that this breach affects children with health issues only adds to my frustration.
Past Breaches:
Unknown
Posted by Evan Francen at 6/1/2010 8:25 PM 
Categories: Cincinnati Children's Hospital, Stolen Laptop
Categories: Cincinnati Children's Hospital, Stolen Laptop
Posts Atom 1.0
Comments